U.S. Department of the Interior 
PRIVACY IMPACT ASSESSMENT 





Introduction 


The Department of the Interior requires PIAs to be conducted and maintained on all IT systems whether 
already in existence, in development or undergoing modification in order to adequately evaluate privacy 
risks, ensure the protection of privacy information, and consider privacy implications throughout the 
information system development life cycle. This PIA form may not be modified and must be completed 
electronically; hand-written submissions will not be accepted. See the DOI PIA Guide for additional 
guidance on conducting a PIA or meeting the requirements of the E-Government Act of 2002. See 
Section 6.0 of the DOI PIA Guide for specific guidance on answering the questions in this form. 


NOTE: See Section 7.0 of the DOI PIA Guide for guidance on using the DOI Adapted PIA template to 
assess third-party websites or applications. 


Name of Project: Interior Department Electronic Acquisition System (IDEAS) Decommissioning 
Bureau/Office: Interior Business Center, Financial Management Directorate 

Date: December 30, 2016 

Point of Contact 

Name: John Maye 

Title: Chief, Customer Support Branch, Finance and Procurement Systems Division 

Email: john_maye@ibc.doi.gov 

Phone: 703-487-0891 

Address: 12201 Sunrise Valley Drive, Reston, VA 20192 


Section 1. General System Information 
A. Is a full PIA required? 


X Yes, information is collected from or maintained on 
[]Members of the general public 

x] Federal personnel and/or Federal contractors 
C] Volunteers 

LIAM 

















LINo: Information is NOT collected, maintained, or used that is identifiable to the individual in 
this system. Only sections 1 and 5 of this form are required to be completed. 


B. What is the purpose of the system? 
The Interior Department Electronic Acquisition System (IDEAS) was a client-server 


based commercial-off-the-shelf software used as a procurement application that provided 
electronic commerce tools to manage, report, and process the acquisition of products and 
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services for the Department of Interior (DOI), Federal agency customers, and external 
customer. IDEAS enabled DOI and external customer organization procurement offices 
to electronically transmit Requests for Proposals (RFPs) or Requests for Quotations 
(RFQs) and allowed vendors to submit quotes electronically in response. IDEAS is 
being decommissioned because the vendor, CGI, no longer supports this software. 
Below is the description of the decommissioning of the software, hardware, and data. 


Software: After the system was decommissioned, the IDEAS software was stored on a 
compact disk (CD). The CD also contains instructions for installing the IDEAS software on 
IBM PC compatible computers and instructions for upgrading Oracle and Sybase databases to 
the latest version. This archived information is included in the Records Transfer Number, PT- 
048-2015-0096, and contains only unclassified information for the IDEAS information system. 


Hardware: All IDEAS related hardware is on the DOI Virtual Environment. IDEAS is a 
Windows and Linux based system, which consists of six servers, and interfaces with external 
systems. IDEAS has a public-facing component that displays information accessible to 
vendors. The other components of IDEAS are internal to DOI and restricted to DOI users. 
IDEAS also interconnects with agencies outside of the DOI. The Agency IDEAS Procurement 
Desktop (PD) installation resides in their respective agency’s information system. After the 
IDEAS hardware was decommissioned, the database and application servers, would be re- 
purposed for other ongoing and new applications. 


Data: 


e The following bureaus and offices migrated data from IDEAS to the DOI Financial 
Business Management System (FBMS) in accordance with the planned deployment 
schedule for each bureau/office and began using FBMS: 

o Bureau of Indian Affairs 

Bureau of Land Management 

Bureau of Ocean Energy Management 

Bureau of Safety and Environmental Enforcement 

Bureau of Reclamation 

U.S. Fish and Wildlife Service 

National Park Service 

Office of Surface Mining Reclamation and Enforcement 

Interior Business Center 

U.S. Geological Survey 

Office of the Secretary and Departmental Offices, including Office of the 

Special Trustee 


O O O 0000000 


e National Transportation Safety Board (NTSB), a Federal agency customer using 
IDEAS, migrated its data to the DOI Momentum application. 


e The following Federal agency customers and external customer maintained their IDEAS 
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production application, data files, and archive in accordance with their agency records 
retention policy and schedule. 

Federal Communications Commission 

o US. Maritime Administration 

o Department of Justice, Office of Justice Programs 

o John F. Kennedy Center for the Performing Arts 


O 


. What is the legal authority? 


The E-Government Act of 2002 (P.L.107-347) and Expanding Electronic Government in the 
President’s Management Agenda. 


. Why is this PIA being completed or modified? 


_]New Information System 

L]New Electronic Collection 

LJExisting Information System under Periodic Review 
LI Merging of Systems 

L) Significantly Modified Information System 
_1Conversion from Paper to Electronic Records 

X Retiring or Decommissioning a System 

[JOther: Describe 
































. Is this information system registered in CSAM? 
Xl Yes: Enter the UII Code and the System Security Plan (SSP) Name: 


010-000000365; Interior Department Electronic Acquisition System (IDEAS) System 
Security Plan 


LINo 


. List all minor applications or subsystems that are hosted on this system and covered under 
this privacy impact assessment. 




















Subsystem Name Purpose Contains PII Describe 
(Yes/No) If Yes, provide a 
description. 
None None No N/A 





G. Does this information system or electronic collection require a published Privacy Act 


System of Records Notice (SORN)? 
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Yes: List Privacy Act SORN Identifier(s) 

IDEAS records are covered by DOI-89, Financial and Business Management System (FBMS) — 
Grants and Cooperative Agreements, July 28, 2008 (73 FR 43775). DOI-89 is currently being 
revised to reflect updates and changes to the system. 

LINo 


H. Does this information system or electronic collection require an OMB Control Number? 


L]Yes: Describe 
No 














X 


Section 2. Summary of System Data 
A. What PII will be collected? Indicate all that apply. 


L]Name 

[1 Citizenship 

L]Gender 

_]Birth Date 

ClGroup Affiliation 

Cl Marital Status 

C Biometrics 

ClOther Names Used 
[|Truncated SSN 

[|Legal Status 

(]Place of Birth 

_JReligious Preference 

Cl Security Clearance 

_] Spouse Information 

_] Financial Information 
L]Medical Information 

(| Disability Information 
[]Credit Card Number 
L]Law Enforcement 
ClEducation Information 
_]Emergency Contact 
L|Driver’s License 
_)Race/Ethnicity 

(Social Security Number (SSN) 
[]Personal Cell Telephone Number 
LJ) Tribal or Other ID Number 
[]Personal Email Address 
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_]Mother’s Maiden Name 
[}Home Telephone Number 
ClChild or Dependent Information 
[Employment Information 
L]Military Status/Service 
_]Mailing/Home Address 
XlOther: Specify the PII collected. 























This system is no longer used to collect or maintain personally identifiable information (PII). 
IDEAS has been decommissioned and the data was successfully migrated or archived. 


. What is the source for the PII collected? Indicate all that apply. 


L) Individual 
_1Federal agency 

[I Tribal agency 
ClLocal agency 
[JDOI records 
(Third party source 
[]State agency 
XJOther: Describe 
































This system is no longer used to collect or maintain PII. IDEAS has been decommissioned and 
the data successfully was migrated or archived. 


. How will the information be collected? Indicate all that apply. 





(Paper Format 

Cl Email 

[| Face-to-Face Contact 

L)Web site 

[]Fax 

_) Telephone Interview 

(Information Shared Between Systems 
XOther: Describe 


























This system is no longer used to collect or maintain PII. IDEAS has been decommissioned and 
the data successfully was migrated or archived. 


. What is the intended use of the PII collected? 

Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
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their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


. With whom will the PII be shared, both within DOI and outside DOI? Indicate all that 
apply. 


XI Within the Bureau/Office: Describe the bureau/office and how the data will be used. 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on IBC data that was migrated, please see the FBMS Cloud PIA. 


X Other Bureaus/Offices: Describe the bureau/office and how the data will be used. 





Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office data that was migrated, please see the FBMS Cloud PIA. 


Xl Other Federal Agencies: Describe the federal agency and how the data will be used. 





Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on the NTSB data that was migrated, please see the Momentum PIA. 
Federal agency customers and external customer that maintained their IDEAS production 
application, data files, and archive are responsible for the sharing of their agency records. 


LTribal, State or Local Agencies: Describe the Tribal, state or local agencies and how the data 
will be used. 


Contractor: Describe the contractor and how the data will be used. 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
Data is not shared with CGI because the vendor no longer supports the IDEAS software. 


ClOther Third Party Sources: Describe the third party source and how the data will be used. 


. Do individuals have the opportunity to decline to provide information or to consent to the 
specific uses of their PII? 


[lYes: Describe the method by which individuals can decline to provide information or how 
individuals consent to specific uses. 


XNo: State the reason why individuals cannot object or why individuals cannot give or 
withhold their consent. 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
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Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


G. What information is provided to an individual when asked to provide PII data? Indicate 
all that apply. 





ClPrivacy Act Statement: Describe each applicable format. 
[|Privacy Notice: Describe each applicable format. 
[JOther: Describe each applicable format. 

X None 














H. How will the data be retrieved? List the identifiers that will be used to retrieve information 
(e.g., name, case number, etc.). 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


I. Will reports be produced on individuals? 


[lYes: What will be the use of these reports? Who will have access to them? 
No 














X 


Section 3. Attributes of System Data 
A. How will data collected from sources other than DOI records be verified for accuracy? 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


B. How will data be checked for completeness? 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


Interior Department Electronic Acquisition System (IDEAS) Decommissioning 
Privacy Impact Assessment 





C. What procedures are taken to ensure the data is current? Identify the process or name the 
document (e.g., data models). 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


D. What are the retention periods for data in the system? Identify the associated records 
retention schedule for the records in this system. 


IDEAS records were maintained under the Departmental Records Schedule (DRS) 1.3B — Long- 
term Financial and Acquisition Records (DAA-0048-2013-0001-0011), which was approved by 
the National Archives and Records Administration (NARA). The disposition is temporary and 
records are destroyed seven years after cut-off on final payment. 


Federal agency customers and external customer that maintained their IDEAS production 
application, data files, and archive in accordance with their agency records retention policy and 
schedule. 


E. What are the procedures for disposition of the data at the end of the retention period? 
Where are the procedures documented? 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive in accordance with their agency 
records retention policy and schedule. 


The approved disposition methods include shredding or pulping for paper records, and 
degaussing or erasing for electronic records, in accordance with NARA Guidelines and 384 
Departmental Manual 1. 


F. Briefly describe privacy risks and how information handling practices at each stage of the 
“information lifecycle” (i.e., collection, use, retention, processing, disclosure and 
destruction) affect individual privacy. 


There is minimal risk to individual privacy as DOI bureaus and offices no longer processes data 
in IDEAS and the legacy data was successfully migrated to the FBMS Cloud system. For 
Federal agency customers and the external customer, these data files are maintained by each 
agency in accordance with their agency’s records and retention schedules. All IDEAS related 
hardware is on the DOI Virtual Environment. After decommissioning, the Solaris database 
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servers and Window application servers were re-purposed by OCIO for other ongoing and new 
applications. 


The decommissioning of IDEAS does not have an impact to the enterprise security posture due 
to IDEAS being disconnected from the IBC network other than a change to delete IDEAS from 
the enterprise Assessment and Authorization boundary. PII no longer remains on IDEAS. 
Please see the FBMS Cloud and Momentum PIA for an analysis of the privacy risks and how the 
data is handled at each stage of the information lifecycle. 


Section 4. PIA Risk Review 


A. Is the use of the data both relevant and necessary to the purpose for which the system is 








being designed? 
L1Yes: Explanation 
XJ No 








B. Does this system or electronic collection derive new data or create previously unavailable 
data about an individual through data aggregation? 


L1Yes: Explain what risks are introduced by this data aggregation and how these risks will be 
mitigated. 


XINo 
C. Will the new data be placed in the individual’s record? 


L1Yes: Explanation 
XI No 





D. Can the system make determinations about individuals that would not be possible without 
the new data? 





CYes: Explanation 
No 











X 


E. How will the new data be verified for relevance and accuracy? 
Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 
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F. Are the data or the processes being consolidated? 


Ll Yes, data is being consolidated. Describe the controls that are in place to protect the data 
from unauthorized access or use. 


Ll Yes, processes are being consolidated. Describe the controls that are in place to protect the 
data from unauthorized access or use. 


X No, data or processes are not being consolidated. 
G. Who will have access to data in the system or electronic collection? Indicate all that apply. 


C Users 

ClContractors 
ClDevelopers 

C]System Administrator 
XOther: Describe 























Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


H. How is user access to data determined? Will users have access to all data or will access be 
restricted? 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


I. Are contractors involved with the design and/or development of the system, or will they be 
involved with the maintenance of the system? 


X Yes. Were Privacy Act contract clauses included in their contracts and other regulatory 
measures addressed? 


Privacy Act contract clauses are included in all contractor agreements. 


LINo 
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Is the system using technologies in ways that the DOI has not previously employed (e.g., 
monitoring software, SmartCards or Caller ID)? 


LlYes. Explanation 
No 














X 


. Will this system provide the capability to identify, locate and monitor individuals? 


ClYes. Explanation 
XI No 





. What kinds of information are collected as a function of the monitoring of individuals? 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


. What controls will be used to prevent unauthorized monitoring? 


Not applicable as this system is decommissioned and is no longer used to collect or maintain PII. 
For more information on bureau/office or NTSB data that was migrated, please see the FBMS 
Cloud and Momentum PIAs. Federal agency customers and external customer that maintained 
their IDEAS production application, data files, and archive are responsible for the collection and 
maintenance of their agency records. 


. How will the PII be secured? 
(1) Physical Controls. Indicate all that apply. 


XI Security Guards 

XI Key Guards 

XI Locked File Cabinets 

XI Secured Facility 

X Closed Circuit Television 
XI Cipher Locks 

X Identification Badges 
C Safes 

_]Combination Locks 
Xx] Locked Offices 
Other. Describe 
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The IDEAS system and hardware are located in secured DOI facilities. This system is 
decommissioned and is no longer used to collect or maintain PII. For more information, see 
the FBMS Cloud and Momentum PIAs. Federal agency customers and external customer 
that maintained their IDEAS production application, data files, and archive are responsible 
for implementing the physical controls for their system. 


(2) Technical Controls. Indicate all that apply. 


XI Password 

X Firewall 

XJ Encryption 

X User Identification 

[1 Biometrics 

X Intrusion Detection System (IDS) 

XI Virtual Private Network (VPN) 

X Public Key Infrastructure (PKI) Certificates 
X Personal Identity Verification (PIV) Card 
Other. Describe 


























In addition to the controls above, IDEAS also uses Transport Layer Security. The IDEAS 
system and hardware are located in a secured DOI environment with appropriate security 
controls. The IDEAS database servers and Window application servers will be sanitized and 
re-purposed. This system is decommissioned and is no longer used to collect or maintain PII. 
For more information, see the FBMS Cloud and Momentum PIAs. Federal agency 
customers and external customer that maintained their IDEAS production application, data 
files, and archive are responsible for implementing the technical controls for their system. 


(3) Administrative Controls. Indicate all that apply. 





x] Periodic Security Audits 

Backups Secured Off-site 

XI Rules of Behavior 

X Role-Based Training 

X Regular Monitoring of Users’ Security Practices 

X| Methods to Ensure Only Authorized Personnel Have Access to PII 
X Encryption of Backups Containing Sensitive Data 

XI Mandatory Security, Privacy and Records Management Training 
XJOther. Describe 




















The IDEAS system and hardware are located in a secured DOI environment with appropriate 
security controls. The IDEAS database servers and Window application servers will be 
sanitized and re-purposed. This system is decommissioned and is no longer used to collect or 
maintain PII. For more information, see the FBMS Cloud and Momentum PIAs. Federal 
agency customers and external customer that maintained their IDEAS production application, 
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data files, and archive are responsible for implementing the administrative controls for their 
system. 


O. Who will be responsible for protecting the privacy rights of the public and employees? This 
includes officials responsible for addressing Privacy Act complaints and requests for 
redress or amendment of records. 


The Director, Office of Acquisition and Property Management is the IDEAS Information System 
Owner and the official responsible for oversight and management of the IDEAS security and 
privacy controls and the protection of data during the decommission process. The IDEAS 
Information System Owner is also responsible for ensuring adequate safeguards are implemented 
to protect individual privacy in compliance with Federal laws and policies for the use and 
decommissioning of IDEAS, and for addressing complaints or requests in consultation with DOI 
privacy officials. 


This system is decommissioned and is no longer used to collect or maintain PII. For more 
information, please see the FBMS Cloud and Momentum PIAs. Federal agency customers and 
external customer that maintained their IDEAS production application, data files, and archive are 
responsible for the collection and maintenance of their agency records. 


P. Who is responsible for assuring proper use of the data and for reporting the loss, 
compromise, unauthorized disclosure, or unauthorized access of privacy protected 
information? 


The IDEAS Information System Owner is responsible for oversight and management of the 
IDEA security and privacy controls, and for ensuring to the greatest extent that data is properly 
managed and that all access to the data has been granted in a secure and auditable manner. The 
Information System Owner is also responsible for ensuring that any loss, compromise, 
unauthorized access or disclosure of PII is reported to US-CERT within 1-hour of 

discovery in accordance with Federal policy and established procedures. The Federal agency 
customers and external customer are responsible for reporting of any potential loss, compromise, 
unauthorized access or disclosure of data resulting from their activities or management of the 
data. 


However, the IDEAS system was decommissioned and is no longer used to collect or maintain 
any data. For more information, please see the FBMS Cloud and Momentum PIAs. Federal 
agency customers and external customer are responsible for the collection and maintenance of 
their agency records. 
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